QUESTION 271
Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site 1 contains five domain controllers. Site2 contains one read-only domain controller (RODC). Site1 and Site2 connect to each other by using a slow WAN link.
You discover that the cached password for a user named User1 is compromised on the RODC. On a domain controller in Site1, you change the password for User1. You need to replicate the new password for User1 to the RODC immediately. The solution must not replicate other objects to the RODC.
Which tool should you use?
A. Active Directory Sites and Services
B. Active Directory Users and Computers
C. Repadmin
D. Replmon
Answer: C
Explanation:
repadmin /rodcpwdrepl
Triggers replication of passwords for the specified users from a writable Windows Server 2008 source domain controller to one or more read-only domain controllers (RODCs).
Reference: http://technet.microsoft.com/en-us/library/cc742095.aspx
QUESTION 272
Your network contains an Active Directory forest. The forest contains an Active Directory site for a remote office. The remote site contains a read-only domain controller (RODC). You need to configure the RODC to store only the passwords of users in the remote site. What should you do?
A. Create a Password Settings object (PSO).
B. Modify the Partial-Attribute-Set attribute of the forest.
C. Add the user accounts of the remote site users to the Allowed RODC Password Replication Group.
D. Add the user accounts of users who are not in the remote site to the Denied RODC Password Replication Group.
Answer: C
Explanation:
Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC Password Replication Group.
These groups help implement a default Allowed List and Denied List for the RODC Password Replication Policy.
Reference: http://technet.microsoft.com/en-us/library/cc730883.aspx
QUESTION 273
Your network contains an Active Directory domain named contoso.com. Contoso.com contains a writable domain controller named DC1 and a read-only domain controller (RODC) named DC2. All domain controllers run Windows Server 2008 R2.
You need to install a new writable domain controller named DC3 in a remote site. The solution must minimize the amount of replication traffic that occurs during the installation of Active Directory Domain Services (AD DS) on DC3.
What should you do first?
A. Run dcpromo.exe /createdcaccounton DC3.
B. Run ntdsutil.exeon DC2.
C. Run dcpromo.exe /advon DC3.
D. Run ntdsutil.exeon DC1.
Answer: D
Explanation:
We can run dcpromo.exe /adv on DC3 to install a new writable DC using the Install From Media (IFM) option to reduce replication traffic. But before we can do that, we have to create the installation media first. This is done with ntdsutil. This must be done on DC1 rather than DC2, as DC2 is a RODC.
“You can use the Ntdsutil.exetool to create installation media for additional domain controllers that you are creating in a domain. By using the Install from Media (IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently.” (…) “You must use writeable domain controller installation media to install a writeable domain controller. You can create writeable domain controller installation media only on a writeable domain controller.”
Reference: http://technet.microsoft.com/en-us/library/cc770654.aspx
QUESTION 274
Your network contains an Active Directory domain. The domain contains several domain controllers.
You need to modify the Password Replication Policy on a read-only domain controller (RODC).
Which tool should you use?
A. Group Policy Management
B. Active Directory Domains and Trusts
C. Active Directory Users and Computers
D. Computer Management
E. Security Configuration Wizard
Answer: C
Explanation:
To configure the PRP using Active Directory Users and Computers
1. Open Active Directory Users and Computers as a member of the Domain Admins group.
2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain.
(…)
Reference: http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password- replication-policy.aspx
QUESTION 275
Your network contains an Active Directory domain. The domain contains five sites. One of the sites contains a read-only domain controller (RODC) named RODC1.
You need to identify which user accounts can have their password cached on RODC1.
Which tool should you use?
A. Repadmin
B. Dcdiag
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Adtest
Answer: A
Explanation:
Reference: http://technet.microsoft.com/en-us/library/cc835090.aspx
The Get-ADDomainControllerPasswordReplicationPolicyUsagegets the user or computer accounts that are authenticated by a read-only domain controller (RODC) or that have passwords that are stored on that RODC.
DCDiag is used to test general problems that can occur in AD environments.
Adtest is a performance testing tool for AD.
Reference: http://www.microsoft.com/en-us/download/details.aspx?id=15275
QUESTION 276
Your network contains an Active Directory domain named litwareinc.com. The domain contains two sites named Sitel and Site2. Site2 contains a read-only domain controller (RODC).
You need to identify which user accounts attempted to authenticate to the RODC.
Which tool should you use?
A. Active Directory Users and Computers
B. Ntdsutil
C. Get-ADAccountResultantPasswordReplicationPolicy
D. Adtest
Answer: A
Explanation:
Periodically, you should review whose accounts have been authenticated to an RODC. (…) You can use Active Directory Users and Computers or repadmin /prpto review whose accounts have been authenticated to an RODC.
Reference: http://technet.microsoft.com/en-us/library/83a6daba-cdde-4606-97a3-6ebb9d7fa6bf(v=ws.10) #BKMK_Auth2
Get-ADAccountResultantPasswordReplicationPolicyis used to get the members of the allowed list or denied list of a read-only domain controller’s password replication policy. Get- ADDomainControllerPasswordReplicationPolicyUsagecould be used, but is not listed. Reference:
http://technet.microsoft.com/en-us/library/ee617207.aspx
ntdsutil is used for offline management of the AD database and files.
Adtest is a performance testing tool for AD.
Reference: http://www.microsoft.com/en-us/download/details.aspx?id=15275
QUESTION 277
Your company has an Active Directory forest that contains multiple domain controllers. The domain controllers run Windows Server 2008.
You need to perform an authoritative restore of a deleted organizational unit and its child objects.
Which four actions should you perform in sequence? (To answer, move the appropriate four actions from the list of actions to the answer area, and arrange them in the correct order.)
Answer: 
Explanation:
If you are performing authoritative restore on a domain controller that has already received replication of the deletions, perform the following procedures on the recovery domain controller: (…)
1. (…)Restore from backup requires restarting the domain controller in DSRM. Taking the domain controller offline by stopping AD DS is not sufficient to run Ntdsutil procedures to restore from backup.
2. Restore AD DS from Backup (Nonauthoritative Restore)
3. Mark an Object or Objects as Authoritative(…)
4. Restart the domain controller normally. (MY NOTE: Obviously restarting in Safe Mode won’t help usmuch! The DC would not be able to synchronize!)
Reference: http://technet.microsoft.com/en-us/library/cc816878.aspx
QUESTION 278
Your network contains an Active Directory domain. The relevant servers in the domain are configured as shown in the following table:
You need to ensure that all device certificate requests use the MD5 hash algorithm.
What should you do?
A. On Server2, run the Certutiltool.
B. On Server1, update the CEP Encryption certificate template.
C. On Server1, update the Exchange Enrollment Agent (Offline Request) template.
D. On Server3, set the value of the HKLM\Software\Microsoft\Cryptography\MSCEP\HashAlgorithm\Hash
Algorithmre gistry key.
Answer: D
Explanation:
The hash algorithm for certificate requests is chosen when the CA is configured. After the CA is setup, it can only be modified by editing the appropriate registry entries for Microsoft’s cryptography provider.
certutilhas options to apply a hash over existing files but cannot change the algorithm used for certificate requests.
The CEP Encryption template allows a computer account to serve as a registration authority for simple enrollment requests.
The Exchange Enrollment Agent (Offline Request) template is used to request certificates on behalf of another subject/user.
QUESTION 279
Your network contains an Active Directory domain. The domain contains an enterprise certification authority (CA) named Server1 and a server named Server2. On Server2, you deploy Network Policy Server (NPS) and you configure a Network Access Protection (NAP) enforcement policy for IPSec.
From the Health Registration Authority snap-in on Server2, you set the lifetime of health certificates to four hours. You discover that the validity period of the health certificates issued to client computers is one year. You need to ensure that the health certificates are only valid for four hours. What should you do?
A. Modify the Request Handling settings of the certificate template used for the health certificates.
B. Modify the Issuance Requirements settings of the certificate template used for the health certificates.
C. On Server1, run certutil.exe -setreg policy\editflags +editf_attributeenddate.
D. On Server1, run certutil.exe Csetregdbflags +dbflags_enablevolatilerequests.
Answer: C
Explanation:
Use the following procedure to allow the CA to issue the new health certificate template. This procedure applies to an enterprise NAP CA only. To allow template validity period override
1. On the NAP CA, click Start, click Run, right-click Command Prompt, and then click Run as administrator.
2. In the command window, type Certutil.exe -setreg
policy\EditFlags+EDITF_ATTRIBUTEENDDATE, and then press ENTER.
3. In the command window, type net stop certsvc && net start certsvc, and then press ENTER.
4. Verify that Active Directory Certificate Services (AD CS) stops and starts successfully.
Reference: http://technet.microsoft.com/en-us/library/dd296906(v=ws.10).aspx
QUESTION 280
An Active Directory database is installed on the C volume of a domain controller.
You need to move the Active Directory database to a new volume. What should you do?
A. Copy the ntds.ditfile to the new volume by using the ROBOCOPY command.
B. Move the ntds.ditfile to the new volume by using Windows Explorer.
C. Move the ntds.ditfile to the new volume by running the Move-Item command in Microsoft Windows PowerShell.
D. Move the ntds.ditfile to the new volume by using the Files option in the Ntdsutilutility.
Answer: D
If you want to pass Microsoft 70-648 successfully, donot missing to read latest lead2pass Microsoft 70-648 exam questions.
If you can master all lead2pass questions you will able to pass 100% guaranteed.
